Removing Rootkit.Zlob

Removing Rootkit.Zlob

As most of you know, I own a computer repair company called Las Vegas Geeks.  One of the most common problems I run into is viruses, spyware, or some other kind of malware.  There are some great utilities out there to help clean up these problems, but new malware comes out faster then the tools to clean them up.  Yesterday, I was at two different places that had the same malware, Rootkit.Zlob.  I was able to most of the problems fixed using ComboFix, Hijack This, Spybot and a quick scan of MalwareBytes’ Anti-malware.  But the system was still running very sluggish.  I did a full scan with MalwareBytes and it would find two results of Rootkit.Zlob in the C:\Documents and Settings\%Username%\ folder.  When I tried to remove this with Malwarebytes, the system would freeze up. I could find the folder with the Command Prompt, but of course, since its a rootkit, I couldn’t remove it or find anything inside of the folder.  I thought about trying to use Windows Recovery Console, but since the problem is the Documents and Settings folder, the default settings of Recovery Console would not have allowed me to get into this folder.  And the system was running slowly enough that I didn’t want to try to change those settings.  So, I used a LiveCD and booted up the system.  I could then find this folder and remove it.  The system ran great after that.  I should also have had the same results plugging the drive into a different PC, although I didn’t try that.

Print Friendly, PDF & Email

2 Comments;

  1. Just ran across my first machine with rootkit.zlob as well. As you stated, used a combination of tools (all of the above mentioned plus the Sophos RootKit package). My fix (in lieu of slaving the drive into another machine) was to create a new admin user account – and reran tools from that account. That caught the hidden folders in the other user’s account and cleaned the issue. Just another thing to try!

Leave a Reply to michaelcox Cancel reply

Your email address will not be published. Required fields are marked *